Ignoring security in the race to market

Companies seem oblivious to the risks they are exposing their customers to by apparently ignoring information security good practice in the race to get out new products.

Just look at what’s emerged at Black Hat this week: a major flaw was discovered in Samsung Pay that allows attackers to hijack and replay payments. 

Computer science student Salvador Mendoza demonstrated how an attacker could steal payment tokens from the Magnetic Secure Transmission (MST) technology that sits at the heart of Samsung’s new payment system.

The tech was part of the LoopPay acquisition last year, which was intended to propel Samsung into the lead in the mobile payment race where previously the only real contender was Apple Pay.

However, the race to market often drives shortcuts in the information assurance process, where rubber on the road is often seen as the only way to stay in the game, rather than ensuring the product is robust, secure and will stand up to heavy testing from the security community.

Samsung Pay uses MST to turn older point of sales devices into contactless terminals, capable of receiving the tokenised credit card information sent from the telephone handset. Mendoza’s research shows that an attacker can reuse an intercepted MST payment, which in most people’s opinion is a fairly critical issue.

However, Samsung was originally notified about this back in April, yet still has not provided a fix, because it claims the flaw is extremely unlikely to succeed, and it had therefore deemed the risk acceptable.

Samsung was also in the news back in May when researchers from the University of Michigan showed they could hack Samsung’s SmartThings smart home automation system and steal the PIN to someone’s front door.

This lack of security focus on two of Samsung’s product lines is concerning since a breach on either would actually have real-world effects.

Which is exactly the problem we are seeing with the security issues arising from the internet of things (IoT). As platforms and devices become connected and their use becomes popularised (such as appearing in every car or passenger airplane), attackers view these as viable and valuable targets – they have something to gain if they hack them.

Furthermore, the majority of IoT companies are small players, providing niche functions to markets that traditionally don’t understand security, so it’s not surprising that they miss out on the security requirements that big businesses have dealt with for a long time.

Even consumer divisions of big companies won’t necessarily have the security architects and engineers available to help them design robust systems, given they are driven by different imperatives.

These guys need to be educated in secure development, threat modelling, security requirements management and testing, so that the end-to-end solution is properly secured to protect data and ensure it can’t be misused by an attacker.

Companies have to start taking security of IoT products seriously. Rather than just focusing on the implicit benefit they provide, they need to consider all of the problems that enterprises have dealt with for decades, such as having systems for patching and fixing security flaws, since a vulnerability deployed within a car’s engine management systems could lead to a much greater impact than the same vulnerability deployed in an enterprise email system.

This is an issue of education, not regulation. It’s up to enterprise security teams to recognise where there is potential within their own organisations to miss critical security controls and help developers understand how to build security into their product design lifecycles.

Only then will the race to market be slowed and people will understand that buying quality needs to include security, safety and privacy.